Differenet VLAN's on different switches

In short, I have two SRW 2024 switches connected together.  The first one goes to the router, ASA 5510 (supports inter-vlan routing), on the native VLAN and the second one is trunked on port 12 to the first one.  I have been doing lots of research and have found ambiguous answers to my question.  My question is can I have different VLAN's on different switches?  Meaning can I have VLAN 10 on the first switch and VLAN 20 on the second but not have VLAN 20 on the first and VLAN 10 on the second?  So far, I have heard that I HAVE to have identical VLAN's on both switches in order for them to be able to talk to each other and I have also heard that that is not true because I can setup routes on my router to make them talk to eachother and get on the internet...  Does anyone have a definitive answer to my question?  I am totally pulling my hair out on this one...

Well, reading this post now makes me wonder if we have the same understanding.
What do you mean with "have VLAN 10 on the first switch" etc.? What do you mean with "have"?
If you connect the ASA to switch 1, and switch 1 to switch 2. If you use VLAN 20 on the second switch and you want to give VLAN 20 access to the internet through the ASA switch 1 must know about the existence of VLAN 20. The switch will only forward frames for VLANs it knows of. If VLAN 20 does not exist on switch 1 VLAN 20 cannot pass through switch 1.
If you use VLAN 10 only on switch 1 and not on switch 2, you could omit VLAN 10 on the second switch as no VLAN 10 traffic has to go to switch 2. However, generally it is better to have all VLANs on both switches because it makes management easier.
This has nothing to do with routing, though, as the SRWs are only layer 2 switches. Routing allows you to connect a VLAN to another VLAN or LAN or internet.
Think of a single VLAN like a normal switched LAN. Different VLANs are just like different, physically separated LANs.
If you want to allow traffic between these separated LANs you'll need a router which routes traffic between them.
A managed switch with VLANs allows you to run these different LANs on the same hardware, making the individual VLAN assignments configurable.
A port on a managed switch usually is in on of two modes:
* access mode: an access mode port connects to a normal device like a desktop, printer, or similar. An access mode port can be member of a single VLAN only, i.e. you have to decide to which VLAN it is supposed to belong to. In your case, you configure an access mode port for either VLAN 10 or VLAN 20.
With a single switch things are clear now: some ports are VLAN 10 and some ports are VLAN 20. VLAN 10 can talk to each other. VLAN 20 can talk to each other. No traffic passes between VLAN 10 and VLAN 20.
Of course, now you want to connect this switch to some other network devices, in particular the second SRW because you need additional ports or you have an additional location. And there is the ASA which provides internet access for these VLANs.
* trunk mode: This is where trunk mode comes in. A trunk mode port can carry multiple VLANs on a single port. This is done using 802.1q tags. 802.1q tagged ethernet frames have an additional field for the VLAN to which the frame belongs to. With this, a switch can send frames for VLAN 10 and VLAN 20 through a single port to another switch or router. Each frame sent is tagged with 10 or 20 depending on which VLAN the frame belongs to. The receiver will accept each frame and assign it to the corresponding VLAN on the receiving side. This way the receiving switch or router is able to keep those VLANs strictly separated.
So let's say you want two VLANs 10 & 20 in your network. You would create VLANs 10 & 20 on your ASA and both SRWs. (Create only means that the device knows this VLAN exists and is able to handle traffic for this VLAN). You would configure LAN port 1 of your ASA as trunk with members VLAN 10 & 20. You configure port 1 & 24 of your first SRW in trunk mode with members VLAN 10 & 20. You configure port 1 of your second SRW in trunk mode with members VLAN 10 & 20. Now you wire port 1 of your ASA to port 1 of your first SRW. Then you wire port 24 of your first SRW to port 1 of your second SRW.
This creates the VLAN trunk through your network. Traffic in both VLANs can travel through this trunk between the switches and to the ASA and from there, if properly routed, into the internet.
In a very simple scenario you configure all remaining port in access mode. For each access mode port you define whether this port belongs to VLAN 10 or 20. If port 2 is in access mode and member of VLAN 10 then the device connected to port 2 is in VLAN 10.
You are completely free how to assign the VLANs. If you assign ports 2-24 on switch2 to VLAN 20 and ports 2-23 on switch 1 to VLAN 10 this is fine. In this case, you could reduce the VLAN configuration a little by not creating VLAN 10 on the switch 2 and not adding VLAN 10 on the trunk ports connecting switch1 and 2. However, as mentioned before, I would recommend not to do so. If at some point you decide to have a port in VLAN 10 on the second switch everything would already be set up if you created the VLAN 10 on the second switch and added it to the trunk.
You must create all VLANs on your ASA and the first switch in your case. VLAN 20 traffic has to travel through switch 1 (even if there is no end device connected to VLAN 20 on switch 1). Thus, VLAN 20 must exist on switch 1 and the trunk between the ASA, switch 1 and switch2 must carry VLAN 20 for traffic to pass through. If VLAN 20 did not exist on switch 1 no VLAN 20 traffic could travel trough switch 1.
As you only have two switches you will only have a few VLANs which you should be able to create in the beginning. If you really have to add a new VLAN you have to touch both switches and the ASA. But with some planning, it should not be necessary to add VLANs later. With two 24 port switches you won't have more then 48 VLANs anyway.
Your VLANs "terminate" on the ASA. The ASA is a 802.1q capable router. You can trunk your VLANs to the ASA. The ASA allows you to define gateway interfaces in each VLAN which will operate as gateways for each VLAN. Through that VLANs can talk to the internet. You can also configure the ASA to allow inter-vlan-routing, i.e. let specific traffic be routed from one VLAN to the other. For instance, if you have a printer in one VLAN you could allow traffic to this printer from the other VLAN while still blocking any attempt to access other devices on the other VLAN.

Similar Messages

  • Connecting two untagged VLANS from two different switches

    I have a Cisco SG300-52P Small Business switch and hopefully I can explain well what's going on. We have a Juniper EX4200 L3 switch that has a bunch of our corporate VLANs (they are routed VLANs) and that allows communication between all of our corporate networks. We have several other L2 Netgear, HP Procurve, etc... on which we have split the ports down the middle and divided them into two broadcast domains by setting them as untagged VLANs. One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. As long as STP is disabled this seems to work fine. However, we tried this same scenario on this Cisco Small Business switch and only one of the two untagged VLANs on the Cisco will pass traffic at a time. I believe that whenever the VLAN that is on the default (VLAN 1) is plugged in, the other (the one we created) shuts down but when VLAN 1 is unplugged, the other VLAN immediately starts to work. What seems weird is that the Cisco seems to learn the Juniper's MAC on the VLAN that doesn't work and the Juniper learns the MAC on the one that does work. In other words, the Juniper does not learn the Cisco's MAC on both of the VLANs that the Cisco is plugged into, as it does with the other L2 switches that we have, and the Cisco does not learn the MACs of the Juniper on both of its VLANs. I hope this is making sense and please let me know if there is any way I can further clarify. I'm sure I'm just doing something dumb that I'm overlooking so feel free to slap me in the face. :-)
    Thank you in advance for your time!

    It sounds like there is a layer 2 loop in your network if spanning tree is shutting down the ports.  You should be able to do a show spanning-tree on the switch, or look in spanning tree rstp interface status.
    are there any other interconnects between devices?  Like un-managed hubs, WAPs with bridging, virtual servers with multiple NIC cards?
    Show spanning tree on each device might show what is going on, or at least tell you which ports are root ports, which ones are forwarding or blocking.  Best practice is to configure your spanning tree if you have more than 1 or 2 switches.
    A detail topology showing port numbers, (sanitized) IP addresses, vlans and purpose, trunks with what vlans are tagged, and  untagged .
    from your description,  your network looks like
    multiple vlans - layer 3 Juniper swtich - netgearS1 vlan`1 --procurveS2 vlan 1 -- ciscoS3 vlan1
                                                           \-- netgearS1 vlan2 - - procurveS2 vlan --  ciscoS3 vlan 2
    I'm having trouble visiualizing <<One cable goes from each of the different VLANs on the L2 switches into different VLANs on the L3 switch. >>
    are the cables for vlan 1 going to vlan 1 or are the cables for vlan1 going to a different vlan on the other switch?
    Can you reduce the complexity and number of interconnects by using trunking?
    What are the IPs and default gateway of all devices, L3 switch?
    These switches do STP, RSTP and multiple spanning tree, but will not do per vlan spanning tree.  so there may be some configuration required on all switches to get the correct root bridge (the Juniper I assume)

  • Cant communicate between nodes on the same vlan but on different switches (cat/nexus)

    Very odd situation that I cant quite figure out.
    I have two nexus switches connecte together with PO5
    Each Nexus has PO6 which connects to a Cat3750
    The nodes are all on vlan 46.
    Nodes that are connected to the nexus switches can ping each other but cant ping other nodes on the cat. switch.
    Here is an oddity. Nodes on the CAT switch CAN ping nodes on the nexus switches.
    It would appear that the nodes on the nexus (or the switches themselves) do not get the arp requests.
    Oddity 2. When I do show vpc I see on one of the nexus vlan 46 is active
    id     Port        Status Consistency Reason                     Active vlans
    6      Po6         up     success     success                    1,31,34,46,200,600-605
    When I look at the other switch I dont see vlan 46.
    id     Port        Status Consistency Reason                     Active vlans
    6      Po6         up     success     success                    1,31,34,200,600-605
    Comparing the configs I dont see a difference between the two (eyeballing sho run)
    Here are the running configs for PO6 on both switches (identical)
    MTL-N3548COLO-1# sho run int po6
    interface port-channel6
      switchport mode trunk
      spanning-tree port type normal
      speed 1000
      vpc 6
    Not sure what I am missing. Any help is appreciated.
    Thanks
    Drew

    Your setup with vMotion on a separate subnet is absolutely correct. For the vMotion issues I'd suggest you google for vMotion 14% which will list a couple of KB articles with possible issues and resolutions/workarounds.
    André

  • Make ports on two different switches look like physically wired

    I have two different switches in two different buildings and I need to make the ports look like there is a physical wire between them.
    I have two disjoint networks that can talk to each other through a firewall but I need to be able to easily pass multicast traffic. I have a single PC in one building on my network (network A) and it needs to look like it is wired into the other network (network B) that resides in another building. My biggest problem is that the subnets on Network B (10.129.x.x/24) overlap with the management vlan (10.x.x.x/8) on my network. I have attempted to put all of the ports on Network A and Network B on the same vlan, however I could get no traffic to pass and I believe this is a problem with the overlap. Any help would be appreciated.
    Sent from Cisco Technical Support iPad App

    So is there a current connection between switch 1 and switch 2 and what vlan is it in or is it a trunk link.
    If you want the PC to be in vlan 4 then -
    1) the connection between switch 1 and switch 2 needs to be in vlan 4 at both ends or if it is a trunk link then it needs to allow vlan 4
    2) the connection between switch 1 and the 6500 for both ends needs to be in vlan 4
    then it should work because the PC has a direct path in vlan 4 to the 6500. The fact that there is an overlap in IP addressing doesn't matter because the PC is not routing off switch 2 but off the 6500.
    Not sure how this relates to multicast traffic though. Do you mean there are multicast sources in vlan B and you need the PC to be able to receive them.
    Jon

  • Physical redundancy (CSS connected on two different switches)

    Hello,
    Is it possible for redundancy reasons to connect a CSS to two different switches (like we do for access switches) ?
    I know that one option is to configure both interfaces in the same vlan and use the spanning-tree for the redundancy. However, this will not be transparent for the end-user due to the slow convergence of the spanning-tree (uplinkfast or rapid-pvst is probably not supported).
    Are there any other options ? One interface active, the other backup ?
    Thanks in advance for your reply.
    Gaetan

    Gaetan,
    for the CSS we suggest to be connected to only 1 switch and if the CSS detect a failure with the switch, force failover to the redundant css.
    If you have ASR configured, failover will be stateful.
    Gilles.

  • Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

    Hello at all,
    is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
    All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
    To be more detailed:
    At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
    Thank you,
    Christian

    Hi Christian.
    This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
    "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
    In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
    FlexConnect VLAN Central Switching Summary
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
    •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
    Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
    •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
    •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
    •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
    Enjoy your weekend & I am sure you will be able to get this working.
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • How do I set up multiple VLANs on a single switch?

    I have two 3750G-24PS switches and three Huawei S2300 switches. I have configured VLANs (15 nos.) in 3750. Is it possible for me to use those three switches for all VLANs or do I have to use separate switches for each VLAN?

    Got this answer.
    You can have as many as 1024 VLANs on a single switch and you need not create the same on Huawei S2300  switches. Create a VTP domain and specify one switch as server and others as transparent. All the VLANs created on server switch will get replicated to other switches.

  • Creating Vlans at Core layer switches ?

    Is there a need to create vlans at core layer switches ? If yes what are the pros and cons for this practice ?
    Actually i have seen some networks doing that!

    Well this is the topology that i'm working on.
    we have implemented the 3 layer approach.
    1. At access layer: Switches are all L2 (for sure :) )
    2. At distribution layer: All switches are L3 are routes for incoming data.
    3. At core we have 2 6500 switches. One is configured as L3 and all vlans are created in it. Second is just as regular L2 device.
    and ofcourse there are some switch blocks for server farms and the likes.
    My issue is
    1. why don't we create vlans at distribution layer switches.
    2. Why one core switch is acting as L2 and other is acting as L3. What will happen in case of failure to the one acting as L3.
    Ps: the second issue just came up in my mind.

  • Port aggregation on different switches?

    Hello all :)
    I got a server PC with two fast ethernet NICs (NICS do support port aggregation)
    I know you can connect two 100 Mbps ports of server to two fast ethernet ports of a switch, this way you get one 200 Mbps link. If one of the ports or one of the links fail, other link keeps working.
    this is a vey nice redundancy.
    My question is;
    is it possible to bundle two fast ethernet ports of server to two different switches? (first ethernet port of PC to switch 1 and second ethernet port of PC to switch 2. switch 1 and switch 2 are connected each other with an uplink)
    if possible, what is the CLI command for that?
    thank you very much for helping.

    Hello,
    AFAIK, and unless something has changed very recently, the only way to link two (or more) switches together in a single Etherchannel is in a stack configuration.
    Nortel appears to have a feature called Split MultiLink Trunking, which does multichassis trunking, you might want to have a look at the document below:
    Layer 2 Trunking Availability Strategies using SMLT and DMLT
    http://www.informit.com/articles/article.asp?p=169544&seqNum=3&rl=1
    Regards,
    GP

  • GBICS show up differently on different switches

    Has anyone ever seen the exact same GBICs show up differently on a show interface status command on two different switches? I have a 4507 on one end of the link and a 3750 on the other end of the link. A show interface status on the 4507 indicates that a 1000baseLX is installed in the port. A show interface status on the 3750 is showing that a 1000baseLH SFP is installed on the port, but they are the exact same GBICs. It is throwing me off because I am having UDLD issues so I am trying to find a problem with the fiber or GBICs.

    I'm curious, have you tried to swap the GBICs between the devices and see if the description follows the device?
    The "LX" designation was for the original 5km reach specified standard and the "LX/LH" is for the 10km reach version.  It might be possible that one of the GBICs is the old standard.
    Are you operating this link over MMF (OM-?) or SMF and what is its distance?

  • Single VLAN can have different subnets????????

    single VLAN can have different subnet

    Hi Devang,
    Yes your single vlan can have different subnet but they will not talk to each other on ip (layer 3) till the time you configure routing on your layer 3 device using secondary ip address on same logical interface.
    But your answer is yes single vlan can have different subnet.
    HTH
    Ankur

  • VLAN : Cannot transfer files switch 3500XL

    Hello,
    i have configured VLAN's on my switch(802.1q ) with a linux machine as a router.and i cannot transfer files through SCP or FTP from nodes.It pings but is not able to transfer files.can u please expain ? the network cards on my linux machine are intel pro 100

    If you can ping through the linux router from one VLAN to another then this would suggest that routing is working correctly.
    I would check whether the Linux machine is using IP chains or similar which i believe is software that provides a firewall function and could potentially be blocking various ports.
    How many VLANs are you routing between, the reason i ask is that you mentioned 802.1q which is used for trunking VLANs over a single link. How does this fit in with Linux as i wouldn't have thought a Linux machine can differentiate between 802.1q and non 802.1q frames.
    HTH
    PJD

  • Question about VLAN handling for virtual switches and vnets

    Regards,
    We are encountering some problems when using VLAN tagged 10g ethernet. We assign the VLANS to the vsw like this:
    ldm add-vsw net-dev=net2 mtu=9000 vid=vid1,vid2,.... mode=sc primary-vsw0 primary
    the mode=sc is due to us planning for possible Solaris Cluster installation for some guests. The guest get its vnets like this:
    ldm add-vnet mode=hybrid vid=vid1 vnet0 primary-vsw0 guest
    we use mode=hybrid since this is a NIU 10 gig eth interface in a T4-4. My questions are:
    1. Do you see any problems with this config ?
    2. Do you know of any problems with using VLAN tagging in virtual switches/virtual nets for LDOMs ?
    3. When adding, subtracting VLANS to the vsw does it need to recreated or does a ldm set-vsw vid=vid1,... work dynamically (this goes of course for other vsw properties as well) ?
    This is VM Server for SPARC v2.2, Solaris 11 for control and service domains, solaris 10 in the guest LDOMs.
    Thanks,
    Edited by: DamnGoodCoffee! on Nov 2, 2012 4:59 AM

    Hi,
    1.
    - If you want that the vnet is handling the VLAN tagging for you, you need to set the pvid.
    - If you want to do the VLAN tagging in the guest LDOM (via the interface name vnetVLANID00x), it is OK.
    2. We use VLAN tagging in vnetX via setting the pvid for the vnet for guest LDOMs, and we use the interface name based VLAN tagging in the primary domain on the vsw interface.
    3. You don't need to recreate, you can set it. I'm not sure if you need to reboot to let it take effect, but IIRC it is dynamic (should be easy to test).
    Bye,
    Alexander.

  • Traffic Between 2 Ports on Different VLANs on the Same Switch

    Hi,
    This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
    If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
    Thanks in advance,
    cisco_reader.

    If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
    In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
    A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
    If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

  • Re:Can't able to access shared folders from different VLANs in SG300 series switches

    Hi All,
    I supplied 3 numbers of SG300 series switches for the sole reason to have inter-vlan routing. I created 4 VLANs in the switches and made one switch as Layer 3 switch and other 2 as Layer 2 switch. Inter-Vlan routing is working fine. I am able to ping PCs from different VLANs. But I am not to access shared folders. Customer has installed Window 2003 server installed and it is in VLAN 1. There are some folders created in this server and it is very important for users to have access to the folders.Also, I am not able to access shared folders in other VLANs. I have created a case with Cisco small business and I got a reply saying that the switches will not support shared folder feature, which I think is not real. I am getting a very time to implement this solution in the network. I have a Sonicwall firewall after Core switch which is connected to ISP.
    ISP<----->Sonicwall FW<----->Core Switch<------>Layer 2 switch<------>Layer 2 switch
    Kindly help me out to resolve this issue.
    Regards,
    Prashant K

    Hi Prashant,
    I think you're running into a Windows firewall issue. SMB file sharing, by default I believe, is only allowed on your local subnet. Please try disabling windows firewall on the computer hosting the shared folder, then see if you can access the shared file.
    Best,
    David
    PS: It looks like this post got published twice. You can delete the other one using the task bar on the right.
    Please remember to rate helpful resonses and identify correct answers.

Maybe you are looking for